Introduction

On an Active Directory (AD) domain controller (DC), Samba uses an external application to provide Kerberos support. In version 4.6 and earlier, Samba only supported the Heimdal Kerberos implementation for the Key Distribution Center (KDC). For this reason, vendors of operating systems that only support MIT Kerberos could not provide packages with AD DC-capabilities. On these operating systems you can build Samba or use 3rd-party packages with AD DC support to set up a DC, but Samba can not be fully integrated into operating systems that use MIT Kerberos.

Samba 4.7 and later supports building Samba with MIT Kerberos. Distributions, which previously did not provide AD DC-aware Samba packages because they use MIT Kerberos, are now able to provide such packages. For details about migrating a Samba DC, for example, from self-compiled to packages, see Migrating a Samba Installation.

Experimental Feature

Using MIT Kerberos is still considered experimental.

Samba 4.7 and later versions have shipped with code to support building
the Samba AD DC using MIT Kerberos. Since the time of the release a
number of issues, including security issues, have been found by real-world use.
However sadly the Samba Team has not been able to resource
the resolution of these issues to a standard that we are happy with,
and so Samba 4.9.3, 4.8.7 and 4.7.12 releases mark this mode more clearly as experimental.

As an experimental feature, we will not be issuing security patches for
this feature, including for:

The samba.so Kerberos database module is stored in the krb5/plugins/kdb/ subdirectory of the modules directory. In the previous example, the file is located in the /usr/local/samba/lib/krb5/plugins/kdb/ directory. In the next step, set the db_module_dir parameter in the kdc.conf file to this directory.

Create the kdc.conf in the Samba private directory. For example, in /usr/local/samba/private/kdc.conf.